[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 18 Apr 2019 21:34:15 +0800
From: Fuqian Huang <huangfq.daxian@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel < 4.14.111 drivers/nfc/nfcmrvl/usb.c kernel address
dumps to user space
In drivers/nfc/nfcmrvl/usb.c:164,
nfcmrvl_tx_complete will dump the address of urb to dmesg,
which allows local user to read kernel address via dmesg.
static void nfcmrvl_tx_complete(struct urb *urb)
{
...
nfc_info(priv->dev, "urb %p status %d count %d\n",
urb, urb->status, urb->actual_length);
...
}
In drivers/nfc/nfcmrvl/usb.c:308,
nfcmrvl_probe will dump the address of inf to dmesg,
which allows local user to read kernel address via dmesg.
static int nfcmrvl_probe(struct usb_interface *intf,
const struct usb_device_id *id)
{
...
nfc_info(&udev->dev, "intf %p id %p\n", intf, id);
...
}
In drivers/nfc/nfcmrvl/usb.c:368,
nfcmrvl_disconnect will dump the address of inf to dmesg,
which allows local user to read kernel address via dmesg.
static void nfcmrvl_disconnect(struct usb_interface *intf)
{
...
nfc_info(&drv_data->udev->dev, "intf %p\n", intf);
...
}
In drivers/nfc/nfcmrvl/usb.c:375,
nfcmrvl_suspendwill dump the address of inf to dmesg,
which allows local user to read kernel address via dmesg.
static int nfcmrvl_suspend(struct usb_interface *intf, pm_message_t message)
{
...
nfc_info(&drv_data->udev->dev, "intf %p\n", intf);
...
}
In drivers/nfc/nfcmrvl/usb.c:416,
nfcmrvl_resume dump the address of inf to dmesg,
which allows local user to read kernel address via dmesg.
static int nfcmrvl_resume(struct usb_interface *intf)
{
...
nfc_info(&drv_data->udev->dev, "intf %p\n", intf);
...
}
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
